Although the U.S. has been slow to address the issue of data privacy and security in comparison to Europe, some states have recently begun to champion the cause. New York’s updated SHIELD Act, passed during the 2019 legislative session, goes into effect on March 21, 2020.
In many ways, this law is more expansive than previous attempts at holding entities responsible for safeguarding data within their possession.
New York’s updated SHIELD Act targets organizations that hold private information of New York residents. Its scope is significantly broader than laws targeting entities within a specific state, as it could apply to virtually any organization conducting business online, whether the entity is within the state of New York or not.
For example, a business headquartered in Connecticut or New Jersey might well employ New York residents, and thus be covered by the SHIELD Act. Similarly, a retailer in Nebraska could fall within the law’s parameters by virtue of selling products to residents of New York.
The act defines “private information” broadly, including data such as Social Security numbers, driver’s license numbers, credit/debit card numbers, bank or other financial account numbers, email addresses, passwords, and biometric information. Theoretically, given the prevalence of facial recognition technology, “biometric information” could be interpreted to include any pictures or video recordings of an individual’s face.
Perhaps most interesting, the law allows fines simply because an entity does not have reasonable data safeguards in place, even if no breach has actually occurred.
Unlike other legislation, New York’s SHIELD Act includes provisions that attempt to define the term “reasonable safeguards.” Specifically, organizations are deemed to be in compliance with the act by virtue of implementing a data security program that includes a number of specific elements. Some of these elements are shown below, although this list is not intended to be comprehensive.
- Designates one or more employees to coordinate the data security program
- Identifies reasonably foreseeable internal and external risks
- Assesses the sufficiency of safeguards in place to control the identified risks
- Trains and manages employees in the security program practices and procedures
Interestingly, the law goes on to call out both technical safeguards and physical safeguards. In practical terms, that means simply securing data via encryption, passwords, etc. is not enough. Organizations also need to ensure that the data is not, for example, housed on a server sitting in an unlocked closet.
While the legislation does allow certain small businesses to achieve compliance via other methods, the definition of those methods is much less clear.
Like any legislation, New York’s SHIELD Act includes many details, definitions, exemptions, and caveats, and the information above is only a summary. That said, the takeaway is that defining and implementing a data security program is not just a good idea; it’s now the law.
Do you have your “technical” and “physical safeguards” in place, as stipulated by SHIELD? Assess your security with our free Security Foundations checklist. Contact us to see how your firm can implement a security program.